New ISACA Study: Privacy Teams Are Shrinking, Increasingly Stressed

A padlock featuring a keyhole, symbolizing security and protection.
Author: ISACA
Date Published: 15 January 2026
Read Time: 5 minutes

ISACA’s latest State of Privacy survey report also finds rising use of AI among privacy professionals

Schaumburg, IL—Privacy professionals are facing a data-dominated landscape, a complex web of regulations and more limited resources this year. According to the State of Privacy 2026 survey report from ISACA, the association supporting the global workforce advancing trust in technology, these professionals are feeling increasingly strained, with 65 percent saying their roles are more stressful now compared to five years ago.

This report, with insights gathered from more than 1,800 privacy professionals in the ISACA community worldwide, found that respondents were most stressed by the rapid evolution of technology (71 percent, up from 63 percent last year), followed by compliance challenges (62 percent) and resource shortages (61 percent).

Strained resources and teams

When it comes to resources, 43 percent of respondents report that their privacy budget is underfunded, with 36 percent citing it as appropriately funded. Respondents are less optimistic about their privacy budget for next year, with 22 percent saying it will increase (down from 26 percent in 2025), and only 2 percent saying it will remain the same. Half anticipate a decrease in their privacy budget in the next 12 months.

Shrinking team sizes are also a concern with the median privacy staff size dropping from eight in 2025 to five this year. Respondents indicate that both technical (47 percent) and legal/compliance (37 percent) roles on their teams are understaffed. Additionally, 53 percent believe that skills gaps exist with today’s privacy professionals—with technical expertise (54 percent) and experience with different types of technologies and/or applications (52 percent) ranking as the top two. 

To address skill gaps, the survey finds that privacy teams are training non-privacy staff who are interested in moving into privacy roles (48 percent) and increasing the usage of contract employees or outside consultants (36 percent). This tracks with the more than half (55 percent) who note that 50 percent or more of their privacy staff consist of those who started their career in a completely different field and have transitioned into a privacy role—compared to only 25 percent who indicate that 50 percent or more of their privacy staff is comprised of those who started their career and privacy and remain in privacy today.

“The pressing challenges that privacy professionals face in an increasingly complex data privacy threat landscape and regulatory environment underscore how critical it is for organizations to dedicate the necessary resources to support privacy teams in their vital work,” says Safia Kazi, ISACA principal research analyst-- privacy. “Investing in and empowering privacy teams is not only an operational requirement for organizations but also a vital step in building trust and resilience.”

Obstacles and breaches

Forty-three percent of respondents say they are confident in their organization’s ability to ensure the privacy of its sensitive data. However, 44 percent also indicate that their organization’s privacy program faces obstacles, including:

  • Management of risks associated with new technologies (52 percent)
  • Complex international legal and regulatory landscape (45 percent)
  • Lack of competent resources (43 percent)

In looking at where privacy programs go wrong, respondents identified the following as the most common privacy failures within an organization:

  • Lack of training or poor training (51%, up from 47% in 2025)
  • Not practicing privacy by design (50%, up from 41% in 2025)
  • Data breach/leakage (44%)

Additionally, 14 percent of respondents say their organizations experienced a material privacy breach in the past 12 months. While 23 percent note they did not see a change in the number of breaches, 19 percent (up from 15 percent in 2025) expect a material privacy breach in the next 12 months—reflecting a slight increase in pessimism in this area.

Privacy programs, frameworks and controls

The survey also found that privacy professionals are using a variety of privacy controls within their organizations, but are shifting slightly away from identity and access management—with the top controls identified as 1) data security (72 percent), 2) encryption (68 percent, down from 73 percent in 2025), 3) data loss prevention (65 percent), and 4) identity and access management (63 percent, down from 75 percent in 2025).

Slightly fewer organizations also appear to be practicing privacy by design—58 percent always or frequently practice privacy by design when building new applications or services, down from 62 percent in 2025.

Eighty-two percent of respondents said they used a framework or law/regulation to manage privacy in their organization, the most common being GDPR (51 percent) and the NIST Privacy Framework (45 percent). Slightly under half (46 percent) say they are very or completely confident in their organization’s privacy team’s ability to achieve compliance with new privacy laws and regulations. And though only 31 percent of respondents say they find it easy to understand their privacy obligations, slightly fewer than last year say they consider it to be difficult—20 percent, compared to 24 percent in 2025.

Additionally, slightly more organizations are using AI for privacy. Twenty-six percent say they have no plans to use AI (bots or machine learning) to perform any privacy-related tasks, which is down from 36 percent in 2024 and 31 percent in 2025). However, 38 percent indicate they plan to use AI for this function in the next 12 months.

“As the regulatory landscape continues to evolve and the use of AI expands, privacy professionals must adapt alongside these changes as well, continuously learning and updating the guardrails they employ to protect sensitive information for trusted AI adoption,” says David Kuo, ISACA Emerging Trends Working Group member, and executive director, data and privacy for a major US bank. “These practitioners will be pivotal in navigating the complexities of tomorrow’s dynamic, digital world to effectively safeguard privacy and ensure compliance through privacy by design.”

Kazi will delve further into the survey findings in an ISACA webinar taking place 20 January. Register at https://store.isaca.org/s/community-event?id=a33VQ000001bqyLYAQ to attend or to access on-demand until 20 January 2027.

To access the survey report and related resources, visit www.isaca.org/state-of-privacy. For additional privacy resources, visit www.isaca.org/resources/privacy.

About ISACA

ISACA® (www.isaca.org) champions the global workforce advancing trust in technology. For more than 55 years, ISACA has empowered its community of 190,000+ members with the knowledge, credentials, training and network they need to thrive in fields like information security, governance, assurance, risk management, data privacy and emerging tech. With a presence in more than 190 countries and with more than 230 chapters worldwide, ISACA offers resources tailored to every stage of members’ careers—helping them to thrive in a rapidly changing digital landscape, drive trusted innovation and ensure a more secure digital world. Through the ISACA Foundation, ISACA also expands IT and education career pathways, fostering opportunities to grow the next generation of technology professionals.

LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal
Instagram: www.instagram.com/isacanews

Contact:

communications@isaca.org
Emily Ayala, +1.847.385.7223
Bridget Drufke, +1.847.660.5554

Press Releases By Year

Check Mark 2026
Check Mark 2025
Check Mark 2024
Check Mark 2023
Check Mark 2022
Check Mark 2021